SuSEfirewall 2 - redirect ports on internal interface to DMZ
I am moving a Mailserver from the internal network to the DMZ. This move should be invisible for the enduser. Lat but not least: Some hundred mail clients are configured to consult an IP, not a name: I can't solve the issue by configuring my DNS server. This is my configuration: 200.x.x.x (public IP) | SuSEfirewall-192.168.254.1--------192.168.254.2 MailServer | 192.168.0.249 | internal network I have to access the mailserver by an IP in the 192.168.0.0/24 range. External traffic I can easily redirect with FW_FORWARD_MASQ= to an IP in the DMZ. Internal traffic I can redirect to a local port on the firewall with FW_REDIRECT. Is it possible to redirect all traffic coming on the internal interface for 192.168.0.249 to 192.168.254.2 ? Any Custom rule? I was googling quite a while to, didn't find any rule doing a forward on the internal interface. Any idea is appreciated! Thanks Enrique -- Dirk Enrique Seiffert - Lintec S.A. Ed. Torre del Reloj - Of. 401 Plaza de los Coches, Centro Cartagena - Colombia http://www.lintecsa.com -- Este mensaje ha sido analizado por MailScanner en busca de viruses y otros contenidos peligrosos, y se considera que est limpio.
Hi Dirk, checkout rinetd. It should solve youre Problems. Dirk Dirk Enrique Seiffert schrieb:
I am moving a Mailserver from the internal network to the DMZ. This move should be invisible for the enduser. Lat but not least: Some hundred mail clients are configured to consult an IP, not a name: I can't solve the issue by configuring my DNS server.
This is my configuration:
200.x.x.x (public IP) | SuSEfirewall-192.168.254.1--------192.168.254.2 MailServer | 192.168.0.249 | internal network
I have to access the mailserver by an IP in the 192.168.0.0/24 range. External traffic I can easily redirect with FW_FORWARD_MASQ= to an IP in the DMZ. Internal traffic I can redirect to a local port on the firewall with FW_REDIRECT.
Is it possible to redirect all traffic coming on the internal interface for 192.168.0.249 to 192.168.254.2 ?
Any Custom rule? I was googling quite a while to, didn't find any rule doing a forward on the internal interface.
Any idea is appreciated!
Thanks
Enrique
-- There are 10 sorts of people in this World. Those who understand binary, and those who don`t. TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: ds@caribenet.com, suse-security@suse.com # Dateianhänge: 0
You could try with this rule. I'm not an expert in SuSEfirewall2.... FW_FORDWARD_MASQ="192.168.0.0/24,192.168.0.249,tcp,110,110,192.168.254.2/ 192.168.0.0/24,192.168.0.249,tcp,25,25,192.168.254.2" I use your configuration to make the example, and this is the syntax: <source network>.<ip to forward to>,<protocol>,<port>[redirect port,[destination ip]] I use it to redirect my local webserver and it work it. Sorry for my english, i'm Paraguayan.. Greetz 2006/9/27, Dirk Schreiner <Dirk.Schreiner@tria.de>:
Hi Dirk,
checkout rinetd. It should solve youre Problems.
Dirk
Dirk Enrique Seiffert schrieb:
I am moving a Mailserver from the internal network to the DMZ. This move should be invisible for the enduser. Lat but not least: Some hundred mail clients are configured to consult an IP, not a name: I can't solve the issue by configuring my DNS server.
This is my configuration:
200.x.x.x (public IP) | SuSEfirewall-192.168.254.1--------192.168.254.2 MailServer | 192.168.0.249 | internal network
I have to access the mailserver by an IP in the 192.168.0.0/24 range. External traffic I can easily redirect with FW_FORWARD_MASQ= to an IP in the DMZ. Internal traffic I can redirect to a local port on the firewall with FW_REDIRECT.
Is it possible to redirect all traffic coming on the internal interface for 192.168.0.249 to 192.168.254.2 ?
Any Custom rule? I was googling quite a while to, didn't find any rule doing a forward on the internal interface.
Any idea is appreciated!
Thanks
Enrique
-- There are 10 sorts of people in this World. Those who understand binary, and those who don`t.
TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de
Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: ds@caribenet.com, suse-security@suse.com # Dateianhänge: 0
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- --------------------------------------------------------- Ing. Ariel Guerrero Mailto: ariel.guerrero@gmail.com Fone: +595 981 425040 Asunción - Paraguay
checkout rinetd. It should solve youre Problems.
Right, this was the quick and easy solution! Thanks a lot. - (A "FW_FORWARD_MASQ" only will work on the masqueraded interface.)
Dirk Enrique Seiffert schrieb:
I am moving a Mailserver from the internal network to the DMZ. This move should be invisible for the enduser. Lat but not least: Some hundred mail clients are configured to consult an IP, not a name: I can't solve the issue by configuring my DNS server.
This is my configuration:
200.x.x.x (public IP) | SuSEfirewall-192.168.254.1--------192.168.254.2 MailServer | 192.168.0.249 | internal network
I have to access the mailserver by an IP in the 192.168.0.0/24 range. External traffic I can easily redirect with FW_FORWARD_MASQ= to an IP in the DMZ. Internal traffic I can redirect to a local port on the firewall with FW_REDIRECT.
Is it possible to redirect all traffic coming on the internal interface for 192.168.0.249 to 192.168.254.2 ?
Any Custom rule? I was googling quite a while to, didn't find any rule doing a forward on the internal interface.
Any idea is appreciated!
Thanks
Enrique
-- There are 10 sorts of people in this World. Those who understand binary, and those who don`t.
TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de
Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: ds@caribenet.com, suse-security@suse.com # Dateianhänge: 0
-- Este mensaje ha sido analizado por MailScanner en busca de viruses y otros contenidos peligrosos, y se considera que est limpio.
-- Dirk Enrique Seiffert - Lintec S.A. Ed. Torre del Reloj - Of. 401 Plaza de los Coches, Centro Cartagena - Colombia http://www.lintecsa.com -- Este mensaje ha sido analizado por MailScanner en busca de viruses y otros contenidos peligrosos, y se considera que est limpio.
participants (3)
-
Ariel Guerrero -
Dirk Enrique Seiffert -
Dirk Schreiner